CWE-1277: Firmware Not Updateable

BaseDraft

The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.

View on MITRE
Back to CWE Lookup

Extended Description

Without the ability to patch or update firmware, consumers will be left vulnerable to exploitation of any known vulnerabilities, or any vulnerabilities that are discovered in the future. This can expose consumers to permanent risk throughout the entire lifetime of the device, which could be years or decades. Some external protective measures and mitigations might be employed to aid in preventing or reducing the risk of malicious attack, but the root weakness cannot be corrected.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1277: Firmware Not Updateable?+

CWE-1277: Firmware Not Updateable is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present. Without the ability to patch or update firmware, consumers will be left vulnerable to exploitation of any known vulnerabilities, or any vulnerabilities that are discovered in the future. This can expose consumers to permanent risk throughout the entire lifetime of the device, which could be years or decades. Some external protective measures and mitigations might be employed to aid in preventing or reducing the risk of malicious attack, but the root weakness cannot be corrected.

What are the security consequences of Firmware Not Updateable?+

If exploited, CWE-1277 (Firmware Not Updateable) it can compromise Confidentiality, Integrity, Access Control, Authentication and Authorization, leading to outcomes such as Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands and DoS: Crash, Exit, or Restart.

How do you prevent or mitigate Firmware Not Updateable?+

Recommended mitigations for CWE-1277 include: Specify requirements to include the ability to update the firmware. Include integrity checks and authentication to ensure that untrusted firmware cannot be installed. Design the device to allow for updating the firmware. Ensure that the design specifies how to distribute the updates and ensure their integrity and authentication. Implement the necessary functionality to allow the firmware to be updated.

How is Firmware Not Updateable detected?+

CWE-1277 can be detected using Manual Analysis, Architecture or Design Review and Manual Dynamic Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Firmware Not Updateable?+

CWE-1277 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Firmware Not Updateable?+

MITRE documents real CVEs mapped to CWE-1277, including CVE-2020-9054 and [REF-1095]. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1277 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More